FCC’s Proposed Cybersecurity Regulation Fatally Flawed

For most people, the hardest part of their last few days on the job is finding the motivation to tie up loose ends before they leave. This should have been easy for the former chairman of the Federal Communications Commission (FCC), Tom Wheeler, who left the agency upon President Trump’s inauguration. After Trump’s election victory, congressional leadership advised Wheeler to focus his staff’s energies on consensus and administrative matters and to avoid complex or controversial issues.

Wheeler didn’t take their advice. Just two days before Trump’s inauguration, Wheeler’s FCC issued a white paper asserting that the agency (1) has jurisdiction to comprehensively regulate cybersecurity for commercial communications networks and (2) should regulate the cybersecurity practices of broadband internet service providers (ISPs) and other sectors of the communications industry.

The FCC’s report is not only complex and controversial, its key conclusions are wrong. Like the analysis in so many other items the Wheeler FCC issued, the report just presumes the agency has authority to do whatever it likes with regard to cybersecurity. It doesn’t. Congress has determined that the Department of Homeland Security (DHS) is the appropriate forum for addressing cybersecurity, not the FCC.

The FCC’s view of the cybersecurity marketplace is also based on something other than reality. Compelling evidence shows that market forces are in fact incentivizing substantial investment in the deployment of cybersecurity protections without the FCC’s interference.

Perhaps the fact that authority over cybersecurity matters has been delegated to DHS explains the FCC’s motivation for issuing the white paper during the 11th hour of Wheeler’s tenure. The Trump Administration is reportedly considering a reorganization of the FCC that would move duplicative functions to other agencies. The white paper’s claim that the FCC is “uniquely situated” to regulate cybersecurity for commercial networks appears to be a ploy to maintain the agency’s relevance to communications security issues even after the old telephone network is phased out entirely.

The FCC’s unsupported allegation of a cybersecurity market failure similarly appears designed to justify the agency’s desired role. The FCC suggests this role would be aimed at forcing ISPs to bear direct responsibility for and the costs of all cybersecurity regulation industrywide, an approach that supports Wheeler’s vision of subjecting ISPs to a unique FCC regulatory scheme premised on Title II.

The white paper’s proposed win-win for FCC job security (asserting jurisdiction) and Wheeler’s regulatory legacy (supporting Title II reclassification of broadband) would be a disaster for cybersecurity. The FCC does not have clear jurisdiction to address cybersecurity issues in a comprehensive manner, and the limited approach the agency envisions would create confusion and conflict with broader efforts that are already well underway at the DHS.

The white paper’s suggestion that the FCC focus its cybersecurity efforts on ISPs would also be ineffective. The ability of ISPs alone to mitigate cybersecurity risks is limited by technology and (ironically) Title II regulation itself. As a technical matter, ISPs can’t filter encrypted data traffic, and the use of encryption on the internet is growing. And as a regulatory matter, the FCC’s Title II rules prohibit ISPs from exercising control over significant sources of cybersecurity risk (like end-user devices and software). Security experts consider Apple’s mobile operating system (iOS) to be more secure than Google’s (Android), but if a wireless service provider were to prohibit the use of Android phones on its network to promote cybersecurity, it would be slapped with a Title II complaint faster than you can say “net neutrality.”

The FCC is not an appropriate forum for a comprehensive approach to cybersecurity

Despite its grandiose claims that the FCC is “uniquely situated to comprehensively address” cybersecurity due to its hold on ISPs, the agency has zero cyber expertise or jurisdiction. The white paper itself acknowledges that “[c]yber risk can be introduced at any stage of the communications supply chain, from product design, to testing, to manufacturing, to product introduction and distribution, to product maintenance and support, and finally, to product retirement.” Despite this reality, the FCC’s proposal for cybersecurity reporting requirements would be limited to “broadband internet access service” only, as defined in the agency’s net neutrality rules. That definition excludes internet backbone providers, content delivery networks, private internet connections, manufacturers, and devices and software of all kinds. The white paper doesn’t reconcile the FCC’s claim that it’s “uniquely situated” to regulate cybersecurity issues when the agency hasn’t asserted regulatory jurisdiction over the vast majority of the cyber risk supply chain.

Congress has given the Department of Homeland Security express authority to address cybersecurity matters

There is no market failure impairing the deployment of cybersecurity protections by ISPs

Even if the FCC were an appropriate forum for cybersecurity regulation, the FCC’s attempt to justify a need to impose new rules on ISPs based on an alleged market failure is not supported by actual facts.

Private investment in cybersecurity is booming. From 2009 to 2014, corporate investment in cybersecurity companies increased 5x, and has shown resilience to market turmoil. In mid-2016, Gartner predicted the global cybersecurity market would have a compound annual growth rate (CAGR) of 7.8% through 2020, a more recent report by M&M research estimates a CAGR of 10.6% through 2021 (from $122 billion in 2016 to $202 billion in 2021), and others are even more bullish. Median salaries for chief information security officers (CISOs) are going up, and CISOs “are becoming boardroom mainstays” who are expected to present accurate cyber risk information to leadership alongside corporate financials.

This evidence of increasing investment in cybersecurity and other private-industry responses to cyber risk offers no indication there is a market failure, and the FCC’s white paper doesn’t present any contrary facts. The agency claims that market forces alone aren’t providing the “necessary cybersecurity investment for society as a whole,” but provides no data regarding the actual level of private investment in cybersecurity or the actual level of cybercrime and its relation to that level of investment (if any). The FCC’s white paper also makes no effort to quantify the potential cost of the additional cybersecurity investments and regulations it considers “necessary” or to compare those costs to the benefits it expects its regulations to produce. The FCC apparently believes a naked conclusion is all that’s needed to justify its intervention.

Even if there were evidence of market failure, there is no indication that FCC meddling along the lines Wheeler suggested would solve it. Consider that the federal government appears to have fared no better at protecting its own networks and cyber assets from cybercrime than private industry. Cybercrime against federal agencies is often headline news:

The FCC has no role in adopting new cybersecurity regulations for the broadband industry, and the new Administration and Congress should keep it that way. Cyber oversight should be kept at the Department of Homeland Security where it belongs.